[Esd-l] ZIP scanning, take two (repost)

Mark Wendt (Contractor) wendt at kingcrab.nrl.navy.mil
Mon Feb 23 07:05:29 PST 2004

Okay, maybe I misundertook sumthin' here.  Is the Sanitizer going to 
actually unzip the file, read the contents, determine whether or not it's 
one of the bad boys, and if so, quarantine (strip) the zip?  IF so, thatn 
turn it on by default.  If not, and we're going to base the quarantine on 
the type of extension, I would rather see it turned off as the default.  My 
quarantine is the bit bucket.  I'm intimately familiar with the 
MANGLE_EXTENSIONS list.  The US Navy allows me to be a little more harsh on 
filenames with certain extensions, and we carry a pretty extensive list, 
that go right to /dev/null.  We've trained our users, as some other folks 
have said, to zip their files.  And it's worked very well with your 
Sanitizer.  We're extremely happy with the Sanitizer John, and look forward 
to the new releases.


At 09:40 AM 2/23/2004, John D. Hardin wrote:
>The scanner will only quarantine, not strip. However, the ZIP
>extension is now "special", so if you have {something}.ZIP in your
>POISON list it *will* take effect. If you don't want to risk losing
>ZIP file attachments, don't put {anything}.ZIP in your POISON list...
>I am not going to add ZIP to the default mangle list. If you wish to
>mangle ZIP attachments as your site policy, you are welcome to through
>overriding the default mangle list.
>I am really reluctant to meddle with the contents of a ZIP attachment
>in any way.
>The Sanitizer does streaming inspection. Once attachment scanning
>starts it is too late to go back and change the attachment headers, so
>there's no way to retroactively mangle the attachment if it contains
>suspicious filenames. The message can only be quarantined for a human
>to inspect.
>What I want community input on is: should the sanitizer by default
>quarantine ZIPs that contain poisoned executables, unless overridden?
>This would conform to the common "permit explicitly only what you
>want, deny the rest" security policy, at the cost of breaking .ZIP
>bypass on sites where the new sanitizer is installed without
>specifying a ZIP security policy.
>  John Hardin KA7OHZ    ICQ#15735746    http://www.impsec.org/~jhardin/
>  jhardin at impsec.org                        pgpk -a jhardin at impsec.org
>  key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
>   "Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never
>   does quite what I want. I wish Christopher Robin was here."
>                                 -- Peter da Silva in a.s.r
>    40 days until the Slovakian Presidential Election

More information about the esd-l mailing list